https://community.cisco.com/t5/application-networking/ace-url-matching/m-p/925941#M18243 <HTML><HEAD></HEAD><BODY><P>Very good comment and suggestion Syed.</P><P>I just want to add that I tested this suggested config and it works perfectly.</P><P></P><P>Gilles.</P></BODY></HTML> Tue, 10 Jun 2008 22:20:30 GMT Gilles Dufour 2008-06-10T22:20:30Z https://community.cisco.com/t5/application-networking/ace-url-matching/m-p/925938#M18240 <P>Hi there,</P><P></P><P>I have 2 servers loadbalanced using ssl. I have a few URL's which I would like to exclude from the ssl:</P><P></P><P>/view/avac_message.cfm?denied=safeSurfOn</P><P>/view/avac_message.cfm?denied=illegal</P><P>/view/avac_message.cfm?denied=blacklist</P><P></P><P>The content switch seems to have an issue with special characters like . ? =</P><P></P><P>I have tried encapsulating them in [.] but still comes up invalid</P><P></P><P>General idea is as follows:</P><P></P><P>1. Class Map to match the URL</P><P></P><P>(config)# class-map type http inspect HTTP_URLCHECK_L7CLASS</P><P>host1/Admin(config-cmap-http-insp)# match url *avac_message[.]cfm[?]denied=safeSurfOn</P><P>host1/Admin(config-cmap-http-insp)# match url *avac_message[.]cfm[?]denied=illegal</P><P>host1/Admin(config-cmap-http-insp)# match url *avac_message[.]cfm[?]blacklist</P><P></P><P>2. Layer 7 Policy Map to apply the match</P><P></P><P>host1/Admin(config)# policy-map type inspect http all-match L7_FILTERHTML_POLICY</P><P>host1/Admin(config-pmap-ins-http)# class L7_HTML_ALLOW_CLASS</P><P>host1/Admin(config-pmap-ins-http-c)# permit log</P><P>host1/Admin(config-pmap-ins-http-c)# exit</P><P></P><P>3. Layer 3 and 4 Policy Map to activate the traffic classifications</P><P></P><P>host1/Admin(config)# policy-map multi-match L4_FILTER_POLICY</P><P>host1/Admin(config-pmap)# class L4_MATCH_HTTP_URL_CLASS</P><P>host1/Admin(config-pmap-c)# inspect http policy L7_FILTERHTML_POLICY</P><P>host1/Admin(config-pmap-c)# exit</P><P>host1/Admin(config-pmap)# exit</P><P>host1/Admin(config)#</P><P></P><P>Can anyone advise a workaround to apply these url statements please?</P><P></P><P>Thanks</P><P></P> Tue, 10 Jun 2008 10:33:51 GMT https://community.cisco.com/t5/application-networking/ace-url-matching/m-p/925938#M18240 fiachragroarke 2008-06-10T10:33:51Z https://community.cisco.com/t5/application-networking/ace-url-matching/m-p/925939#M18241 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>To escape special characters that have another meaning in a regular expression you need to put a backslash before them - e.g. \. \?</P><P></P><P>HTH</P><P></P><P>Cathy</P></BODY></HTML> Tue, 10 Jun 2008 15:36:05 GMT https://community.cisco.com/t5/application-networking/ace-url-matching/m-p/925939#M18241 ciscocsoc 2008-06-10T15:36:05Z https://community.cisco.com/t5/application-networking/ace-url-matching/m-p/925940#M18242 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P> The '?' has a special meaning in the URL. It means the end of the main URL and the beginning of the URL query. </P><P></P><P>Its not possible to match ? in the url.</P><P></P><P>One option could be using secondary cookie matching in ACE.</P><P></P><P>class-map type http loadbalance match-any xyz</P><P> 2 match http cookie secondary denied cookie-value safeSurfOn</P><P> </P><P>Thanks</P><P>Syed</P><P></P><P></P><P></P></BODY></HTML> Tue, 10 Jun 2008 18:44:15 GMT https://community.cisco.com/t5/application-networking/ace-url-matching/m-p/925940#M18242 Syed Iftekhar Ahmed 2008-06-10T18:44:15Z https://community.cisco.com/t5/application-networking/ace-url-matching/m-p/925941#M18243 <HTML><HEAD></HEAD><BODY><P>Very good comment and suggestion Syed.</P><P>I just want to add that I tested this suggested config and it works perfectly.</P><P></P><P>Gilles.</P></BODY></HTML> Tue, 10 Jun 2008 22:20:30 GMT https://community.cisco.com/t5/application-networking/ace-url-matching/m-p/925941#M18243 Gilles Dufour 2008-06-10T22:20:30Z https://community.cisco.com/t5/application-networking/ace-url-matching/m-p/925942#M18244 <HTML><HEAD></HEAD><BODY><P>Problem solved, I used the below syntax and the ACE accepted this. Just need to test now</P><P></P><P>class-map type http inspect match-any HTTP_URLCHECK_L7CLASS</P><P> 100 match url .*denied=safeSurfOn</P><P> 200 match url .*denied=illegal</P><P> 300 match url .*denied=blacklist</P><P> 400 match url .*logo.jpg</P><P></P><P>Big thanks to all who responded !!!!</P><P></P></BODY></HTML> Thu, 12 Jun 2008 09:34:12 GMT https://community.cisco.com/t5/application-networking/ace-url-matching/m-p/925942#M18244 fiachragroarke 2008-06-12T09:34:12Z https://community.cisco.com/t5/application-networking/ace-url-matching/m-p/925943#M18245 <HTML><HEAD></HEAD><BODY><P></P><P>I think it wont work. </P><P>As I said earlier URL ends at ? delimeter. </P><P></P><P>Any ways try it and let me know.</P><P></P><P>Syed Iftekhar Ahmed</P></BODY></HTML> Thu, 12 Jun 2008 16:44:13 GMT https://community.cisco.com/t5/application-networking/ace-url-matching/m-p/925943#M18245 Syed Iftekhar Ahmed 2008-06-12T16:44:13Z https://community.cisco.com/t5/application-networking/ace-url-matching/m-p/925944#M18246 <HTML><HEAD></HEAD><BODY><P>OK, not to confuse the issue, but I have applied the below config and I cannot seem to get the url match policy to allow traffic to pass as http, while forcing all other traffic to redirect as https</P><P></P><P>Can Anyone tell me what I am doing wrong here please?:</P><P></P><P>rserver host Server01</P><P> description Primary Server</P><P> ip address 10.x.x.1</P><P> conn-limit max 2000000 min 1500000</P><P> inservice</P><P>rserver host Server02</P><P> description Secondary Server</P><P> ip address 10.x.x.2</P><P> conn-limit max 2000000 min 1500000</P><P> inservice</P><P>rserver redirect Server_Redirect</P><P> webhost-redirection <A class="jive-link-custom" href="https://www.mysite.ie" target="_blank">https://www.mysite.ie</A></P><P> inservice</P><P></P><P>serverfarm host ServerAuth</P><P> rserver Server01 3807</P><P> inservice</P><P> rserver Server02 3807</P><P> inservice</P><P>serverfarm redirect ServerHTTP_Redirect</P><P> rserver Server_Redirect</P><P> inservice</P><P>serverfarm host ServerServers</P><P> rserver Server01 80</P><P> inservice</P><P> rserver Server02 80</P><P> inservice</P><P></P><P>sticky http-cookie server-cookie Server_Cookie_Sticky_Group</P><P> cookie insert</P><P> timeout 21</P><P> serverfarm MyServers</P><P></P><P></P><P>class-map type http inspect match-any HTTP_URLCHECK_L7CLASS</P><P> 100 match url .*denied=safeSurfOn</P><P> 200 match url .*denied=illegal</P><P> 300 match url .*denied=blacklist</P><P> 400 match url .*logo.jpg</P><P>class-map match-any L4_Server_Auth</P><P> description match traffic for Authentication</P><P> 2 match virtual-address 10.103.3.9 tcp eq 3807</P><P>class-map match-any L4_Server_HTTP</P><P> description match traffic for VIP and HTTP Traffic</P><P> 2 match virtual-address 10.103.3.9 tcp eq www</P><P>class-map match-any L4_Server_HTTPS</P><P> description match traffic for VIP and HTTPS Traffic</P><P> 2 match virtual-address 10.x.x.99 tcp eq https</P><P>class-map type http loadbalance match-any L7_Server_URL</P><P> 2 match http url .*</P><P></P><P>policy-map type loadbalance first-match L7_Server_LBPolicy</P><P> description Server Layer 7 Load Balancing Policy</P><P> class L7_Server_URL</P><P> sticky-serverfarm Server_Cookie_Sticky_Group</P><P></P><P>policy-map type loadbalance first-match L7_Server_LBPolicy_Auth</P><P> class L7_Server_URL</P><P> serverfarm ServerAuth</P><P></P><P>policy-map type loadbalance first-match L7_Server_LBPolicy_HTTP</P><P> class L7_Server_URL</P><P> serverfarm ServerHTTP_Redirect</P><P>policy-map type inspect http all-match L7_URLCHECK_POLICY</P><P> class HTTP_URLCHECK_L7CLASS</P><P> permit</P><P></P><P></P><P>policy-map multi-match L4_FILTER_POLICY</P><P> description L$ Server URL AVAC CHECK</P><P> class L4_Server_HTTP</P><P> loadbalance vip inservice</P><P> loadbalance vip icmp-reply active</P><P> loadbalance vip advertise active</P><P> inspect http policy L7_URLCHECK_POLICY</P><P>policy-map multi-match L4_Server_LBPolicy</P><P> description L4 Server Load-Balancing Policy</P><P> class L4_Server_HTTP</P><P> loadbalance vip inservice</P><P> loadbalance policy L7_Server_LBPolicy_HTTP</P><P> loadbalance vip icmp-reply active</P><P> loadbalance vip advertise active</P><P> class L4_Server_HTTPS</P><P> loadbalance vip inservice</P><P> loadbalance policy L7_Server_LBPolicy</P><P> loadbalance vip icmp-reply</P><P> loadbalance vip advertise active</P><P> ssl-proxy server SSL_Server_Server</P><P> class L4_Server_Auth</P><P> loadbalance vip inservice</P><P> loadbalance policy L7_Server_LBPolicy_Auth</P><P> loadbalance vip icmp-reply</P><P> loadbalance vip advertise active</P><P></P><P>interface vlan 291</P><P> service-policy input L4_Server_LBPolicy</P><P></P><P></P></BODY></HTML> Fri, 13 Jun 2008 00:16:39 GMT https://community.cisco.com/t5/application-networking/ace-url-matching/m-p/925944#M18246 fiachragroarke 2008-06-13T00:16:39Z https://community.cisco.com/t5/application-networking/ace-url-matching/m-p/925945#M18247 <HTML><HEAD></HEAD><BODY><P>Thank you for the nice solution. I just want to add to your post, that multiple "match http cookie secondary" statements are possible under the same class-map. Match-all keyword can be used for more granular class-map matching.</P><P></P><P>Lubomir</P></BODY></HTML> Tue, 11 Sep 2012 14:11:52 GMT https://community.cisco.com/t5/application-networking/ace-url-matching/m-p/925945#M18247 Lubo1 2012-09-11T14:11:52Z